VPC Network Foundation

intermediate

Production-ready VPC with 3 AZs, public/private/isolated subnets, NAT gateways, S3/DynamoDB gateway endpoints, ECR/SSM/CloudWatch interface endpoints, VPC Flow Logs to S3, and an SSM-only bastion host.

networking vpc security bastion

Quick Start

Via CLI (recommended)

npx cdk-starter create

Then select "VPC Network Foundation" from the prompt

Or scaffold directly

npx cdk-starter create --starter vpc-network

README

VPC Network Foundation

Production-ready VPC with 3 AZs, 3 subnet tiers (public/private/isolated), 2 NAT gateways, S3 and DynamoDB gateway endpoints, six interface endpoints, VPC Flow Logs to S3, and a bastion host accessible only via SSM Session Manager.

Use as a foundation

Export the VPC ID from this stack and import it into other stacks:

const vpc = ec2.Vpc.fromLookup(this, 'Vpc', { vpcId: 'vpc-xxxx' });

Or use CloudFormation exports:

const vpcId = cdk.Fn.importValue('VpcNetworkStack-VpcId');

Bastion access

aws ssm start-session --target <instance-id>

No SSH key or open security group ports required.

Prerequisites

Node.js ≥ 20
AWS CLI configured (aws configure)
CDK bootstrapped (npx cdk bootstrap)

Deploy

npm install
npx cdk diff
npx cdk deploy

Tear down

npx cdk destroy